Carrot or the Stick – Sharing Different Consequence Management Frameworks


Session Insights
Written by Liam McGlynn

Neil Bennett

CISO

UK Home Office

Tammy Archer

CISO

Inchcape

Karen White

CISO

Direct Line Group

JULY 2023

Across organisations, security awareness budgets continue to rise as the threat landscape grows across an increasingly distributed workforce. Evanta’s Leadership Perspective Survey shows that ‘security awareness’ ranks as the #6 priority for CISOs across the EMEA region. Despite increased attention and initiatives from CISOs, traditional security awareness programmes continually fail to reduce unsecure employee behaviours, according to Gartner.

Gartner’s 2022 Drivers of Secure Behaviour Survey found that 69% of employees intentionally bypassed their organisation’s cybersecurity guidance, and over 90% of survey respondents who admitted to this acknowledged that they knew their actions would increase cybersecurity risk levels for their organisation but did so regardless. Moreover, it was found that 74% of employees will bypass a security control if it helps them, or their team, achieve a business objective.

This is unsurprising when considering that KPIs are typically framed around delivering outcomes, and adhering to standard cybersecurity regulations can sometimes impair employees’ ability to do so efficiently.

Cybersecurity leaders are beginning to question traditional assumptions about what an effective security awareness programme should look like, as well as the appropriate response for employees consistently failing to adhere to their cybersecurity policies. The term “consequence management” is becoming more common, as encouraging correct cyber behaviour among employees and determining how strict the consequences should be is an increasingly complex issue. 

At one of the most popular sessions of the UK & Ireland CISO Executive Summit this May, community members came together and explored the different approaches to consequence management. Leading this discussion, Neil Bennett, CISO at the UK Home Office, Tammy Archer, CISO at Inchcape, and Karen White, CISO, Direct Line Group shared their own consequence management frameworks, what has been successful, and best practices and lessons learned along the way.

Here are some of the key points discussed:

Use Relatable Terminology when Communicating Risk

As the panel discussed, a central issue arises where many employees do not fully understand the potential ramifications of their unsecure online behaviours. In such instances, employees may recognise that a particular behaviour itself is unsecure per se but may not be aware of the true severity of the accompanying risks.

It is therefore crucial for CISOs to communicate the risk behaviours in a clear and intelligible way. This is especially pertinent for employees working remotely, under the false assumption that their virtual perimeter will protect them from all external cyber threats. 

Clearly, it is not enough for employees to know that a particular set of behaviours are unsecure, but also to have a greater awareness of the reasons behind why this is the case. This must be communicated in relatable, intelligible terms rather than broad sweeping policies.
 

Rethink Traditional Training Programmes to Improve Security Awareness

Another key point discussed by the panel was the ineffectiveness of traditional annual training methods. Typically covering vast amounts of information, these programmes often fail to effectively engage employees, many of whom consider them to be ‘tick box’ exercises.

Rather, organisations should implement a system of ‘drip feeding’ information – but not to the extent that employees feel overwhelmed. One suggestion was a series of short 5–10-minute podcasts, for employees to listen to a few days each week while commuting or taking short breaks from their daily tasks. 

By implementing a system of short, regular refreshers, rather than hour-long programmes on an annual basis, you can keep secure online behaviours at the forefront of employees’ minds. 
 

Establish a Connection Between Cybersecurity in Corporate and Personal Life 

For remote workers in particular, the panel reiterated the importance of establishing a strong link between corporate and personal or home life. Reminding employees that there are certain online behaviours that they would not perform on their personal computers helps to recontextualise cyber risk in the corporate setting, making it far more relatable. Parallels were drawn towards parental behaviours – where it is common to place limitations on children’s online activities. 

Principally, the panel agreed that a key element in articulating cyber risk is to instil this message: if you would not perform a certain behaviour at home, why would you do so in the workplace?
 

Ensure Psychological Safety by Implementing an Amnesty Policy

While the approaches discussed are certainly effective methods for limiting risky behaviours among employees, these behaviours are still likely to occur – albeit less commonly. It is therefore important to consider what the appropriate response should be in such cases. 

The adoption of an amnesty policy was proposed, whereby employees who have behaved in unsecure ways feel that they can come forward and be transparent about errors they have made, rather than simply waiting to see if/when it escalates to the security teams. 

Enabling a culture of psychological safety is crucial since it allows cybersecurity teams to address incidents immediately before they develop into something far more significant. Moreover, CISOs must refrain from ‘naming and shaming’ employees who have made these errors, as this effectively undermines the foundation of trust that makes the culture of psychological safety possible.

In these scenarios, it is necessary for the CISO to show empathy – to consider the motivations behind risk behaviours and work towards changing these behaviours, through the aforementioned approaches.
 

Closing Considerations

In this session, the panel agreed that consequence management is about embedding cybersecurity as part of the fabric of life in the business – not simply focusing on a particular behaviour employees may have carried out. Overall, it is not simply a matter of dealing with the consequences of unsecure behaviours, but getting employees to truly feel that they are part of the solution. 

This session was attended by CISOs and security leaders from various organisations, including Altus Group, AXA, TUI, Evri, Direct Line Group, and more. Evanta creates an open space for executives to share their experiences with each other. Connect with like-minded peers who share your priorities and find your local community – apply to join here.
 

Content adapted from the UK & Ireland CISO Executive Summt. Special thanks to all participating companies.

by CISOs, for CISOs
 


Join the conversation with peers in your local CISO community.

LEARN MORE